WebApp 101

WebApps 101: Directory Traversal

Anytime that you notice the URL is calling on a file name, you should test to see if there is a directory traversal vulnerability.


Testing for Directory Traversal

An easy way to test is to simply try and place ./ in front of the filename in the URL. If the page reloads and looks the same, and the special characters were not stripped out, it is a good indication that no filtering is taking place.

Example: Let’s say your vulnerable URL is below.

http://example.com/file.php?file=hacker.png

We could update it to look like this. If the page reloads and the characters are still present in the browser, you likely have a directory traversal vulnerability present.

http://example.com/file.php?file=./hacker.png

You can then try to read files on the system, such as /etc/passwd by going to the following URL.

http://example.com/file.php?file=../../../../../etc/passwd


Dealing With Full Paths

But what if the URL already included the full path? You may be tempted to go straight to the direct path of the file you’re looking for. However, the webserver may be configured to only server files that have a path that begin within a certain directory. Because of this, you may still need to use the above mentioned method for browsing the directory structure.

Example: Let’s say your vulnerable URL is below.

http://example.com/file.php?file=/var/www/hacker.png

You may be tempted to go straight to the full path of the file you wish to view, but this could return nothing depending on how things are configured. Instead, you’d be better suited using the following URL.

http://example.com/file.php?file=/var/www/../../../etc/passwd


Using a Null Byte

In older versions of PHP, a null byte (represented as %00) can be used to effectively comment out and strip any file extension that the web application may append to the filename. This can be very helpful when trying to execute a file that uses a file extension that is different from what the web app is intended to serve.

Example: Let’s say your vulnerable URL is below.

http://example.com/file.php?file=hacker

The webserver itself is adding the .png file extension to the end of the filename. This means that it is serving a file up in the present working directory named hacker.png.

This is problematic for us as hackers because we may want to read /etc/passwd (as an example) using the following URL.

http://example.com/file.php?file=../../../etc/passwd

When we go to this, the webserver will append .png to the filename, which tries to take us to /etc/passwd.png. We can get around this by specifying our file extension, and then appending %00 to the request.

http://example.com/file.php?file=../../../etc/passwd%00

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s